﻿<%
dim sql_injdata 
SQL_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare" 
SQL_inj = split(SQL_Injdata,"|") 

If Request.QueryString<>"" Then 
For Each SQL_Get In Request.QueryString 
For SQL_Data=0 To Ubound(SQL_inj) 
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then 
Response.Write "<Script Language=javascript>alert('注意：请不要提交非法请求！您的注入行为和IP地址已被记录!');history.back(-1)</Script>" 
Response.end 
end if 
next 
Next 
End If 
If Request.Form<>"" Then 
For Each Sql_Post In Request.Form 
For SQL_Data=0 To Ubound(SQL_inj) 
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then 
Response.Write "<Script Language=javascript>alert('注意：请不要提交非法请求！您的注入行为和IP地址已被记录!');history.back(-1)</Script>" 
Response.end 
end if 
next 
next 
end if



Response.Buffer = True   '缓存页面
'防范get注入
If Request.QueryString <> ""   Then
 call StopInjection(Request.QueryString,"QueryString")
End if
'防范post注入
If Request.Form <> ""   Then
 call StopInjection(Request.Form,"Form")
End if
'防范cookies注入
If Request.Cookies <> ""   Then
 call StopInjection(Request.Cookies,"Cookies") 
End if
'正则子函数
Function StopInjection(Values,Rtype)
Dim regEx
Set regEx = New RegExp
     regEx.IgnoreCase = True
     regEx.Global = True
  regEx.Pattern = "'|;|#|([\s\b+()]+(select|update|insert|delete|declare|@|exec|dbcc|alter|drop|create|backup|set|exists)[\s\b+]*|varchar)"
     Dim sItem, sValue
     For Each sItem In Values
         sValue = LCase(Values(sItem))
         'Response.write Values &"\====\" &sValue &"<br>"
         If regEx.Test(sValue) Then
             Response.Write Rtype & "注入:" & sValue &"<br>"
             Response.End
         End If
     Next
     Set regEx = Nothing
End function
%>


<%
'--------定义部份------------------
Dim XH_Post,XH_Get,XH_Cookie,XH_In,XH_Inf,XH_Xh,XH_Inf2,XH_In2
'自定义需要过滤的字串,用 "|" 分隔
XH_In = "'|;|and|exec|insert|select|delete%20from|update|count|*|%|chr|mid|master|truncate|char|declare|drop%20table|from|net%20user|xp_cmdshell|/add|net%20localgroup%20administrators|Asc|char"
XH_In2 = "'|;|and|exec|insert|select|delete%20from|update|count|chr|mid|master|truncate|char|declare|drop%20table|from|net%20user|xp_cmdshell|/add|net%20localgroup%20administrators|Asc|char"
'----------------------------------
%>

<%
XH_Inf = split(XH_In,"|")
XH_Inf2 = split(XH_In2,"|")
'--------POST部份------------------
If Request.Form<>"" Then
For Each XH_Post In Request.Form

For XH_Xh=0 To Ubound(XH_Inf)
If Instr(LCase(Request.Form(XH_Post)),XH_Inf(XH_Xh))<>0 Then
Response.Write "非法操作！系统做了如下记录↓<br>"
Response.Write "操作ＩＰ："&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write "操作时间："&Now&"<br>"
Response.Write "操作页面："&Request.ServerVariables("URL")&"<br>"
Response.Write "提交方式：ＰＯＳＴ<br>"
Response.Write "提交参数："&XH_Post&"<br>"
Response.Write "提交数据："&Request.Form(XH_Post)
Response.End
End If
Next
Next
End If
'----------------------------------

'--------GET部份-------------------
If Request.QueryString<>"" Then
For Each XH_Get In Request.QueryString

For XH_Xh=0 To Ubound(XH_Inf)
If Instr(LCase(Request.QueryString(XH_Get)),XH_Inf(XH_Xh))<>0 Then
Response.Write "非法操作！系统做了如下记录↓<br>"
Response.Write "操作ＩＰ："&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write "操作时间："&Now&"<br>"
Response.Write "操作页面："&Request.ServerVariables("URL")&"<br>"
Response.Write "提交方式：ＧＥＴ<br>"
Response.Write "提交参数："&XH_Get&"<br>"
Response.Write "提交数据："&Request.QueryString(XH_Get)
Response.End
End If
Next
Next
End If
'----------------------------------

'--------COOKIE部份-------------------
If Request.Cookies<>"" Then
For Each XH_Cookie In Request.Cookies

For XH_Xh=0 To Ubound(XH_Inf2)
If Instr(LCase(Request.Cookies(XH_Cookie)),XH_Inf2(XH_Xh))<>0 Then
Response.Write "非法操作！系统做了如下记录↓<br>"
Response.Write "操作ＩＰ："&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write "操作时间："&Now&"<br>"
Response.Write "操作页面："&Request.ServerVariables("URL")&"<br>"
Response.Write "提交方式：Cookie<br>"
Response.Write "提交参数："&XH_Cookie&"<br>"
Response.Write "提交数据："&Request.Cookies(XH_Cookie)
Response.End
End If
Next
Next
End If
'----------------------------------
%>